Digital risks and Cyber risks -are they the same?

There are many definitions floating around digital risk management and cyber security risk management. The words “digital risks” and “cyber risks” are sometimes loosely used as synonyms by many.

Here are my thoughts and perspectives on the understanding of these terms:

Digital risks are those risks involved in adopting Digital initiatives or bringing in “digital transformation”. As against a manual approach, digital transformation uses electronic systems, tools, resources and methods to transact, communicate, record, approve, report and analyse data of any organization. This entails users and employees accessing software solutions such as email systems, in-house business applications, 3rd party application software, other tools, etc. using front-end devices like desktop computers, laptops, emails, mobile phones, tablets, etc. These could be supported either locally on the devices on the client-side or on back-end Servers, “cloud” Servers (public or private) and service providers who provide SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) or IaaS (Infrastructure-as-a-Service).

Cyber Security risks are those that arise mostly from the environment external to an organization and could result in a potential loss, breach of data or harmful disruption to business.  A few examples are ransomware, phishing mails, virus attacks, hostile hackers, competitors, social engineering, poor configuration controls in systems in applications and in cloud environments – these arise from external attacks and takes advantage of internal security lapses. These risks have to be dealt with as close to real-time as possible, and may require the use of threat intelligence tools backed by a comprehensive security program.

A quick overview on the various stages of digital transformation an organization may adopt. Each of those levels requires a different set of actions for managing both digital and cyber security risks. There is no “one-size-fits-all” possibility answer to managing different types of risks. However, keep in mind the big picture that poor controls (in whatever form – physical, digital technology, application or software solution security flaws, device-dependant issues, people related insider or outsider frauds, process flaws) needs to be addressed in order to mitigate both digital and cyber security risks.

  1. Level 1: The digital adoption or transformation journey for an organization (especially a newly set up business or an upcoming small and medium business) can start from the implementation of a basic financial accounting software (may be even a client-server or a desktop version) that reduces manual activities in finance and accounting processes.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, insider frauds.
    2. Cyber security risks: Minimal, if not exposed to the internet.
  2. Level 2: The evolution of large enterprise software can be traced to its humble beginnings that point to their roots in financial accounting software. The “Enterprise Resource Planning” software (ERPs) encompasses digitizing almost all business functions and operations with tight integration to different business processes. They may also provide good process controls that can be implemented as per the organizations’ requirements. The digital transformation journey started with many companies benefitting greatly with the adoption of a good ERP system. This was generally implemented using in-house resources and managed internally with their own IT departments.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, absence of testing automated, semi-automated and manual controls, insider frauds.
    2. Cyber security risks: If access is limited to only on-premise authorized employees of the organization, then the risk can be perceived as limited. However, if exposure via WAN /LAN is enabled, then cyber risks require monitoring.
  3. Level 3: Some small organizations took to “cloud solutions” that were available on a pay-as-per-use method, SaaS (Software-as-a-Service) saving them time and budget.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, absence of testing automated, semi-automated and manual controls, insider frauds.
    2. Cyber security risks: Risk in security offered by CLOUD solutions.
  4. Level 4: As technology took leaps and bounds, and with the explosion of the internet and the possibilities it offered for collaboration internally with workflow tools and externally with vendors, customers, partners and other supply chain entities, there opened up new business models such as B2B, B2C scenarios that made agile business processes and decisions possible. Providing a window for business partners to complete the supply chain visibility became a possibility.
    1. Digital risks: Excessive authorization rights (Access Control), insufficient internal controls, insider frauds.
    2. Cyber security risks: Risk of exposure of part of the business application processes to partners, customers and suppliers. payment gateways interfaces and integration.
  5. Level 5: Outsourcing business functions became a worthwhile option for many large conglomerates who wanted to focus on their key strategic business processes. This led to what is known as “Business Process Outsourcing” or BPO model. Boundaries extended beyond countries, where you could find examples of companies outsourcing its operations to other countries across Continents making it truly a borderless operation.
    1. Digital risks: Risk of information leakage, excessive authorization rights, sufficiency of internal controls, the choice and security aspects of the BPO’s software for processing and transmission of data.
    2. Cyber security risks: Risks arising out of phishing, hacking, virus attacks, etc. of BPO’s systems and software.
  6. Level 6: Technology saw a boom in the electronic and telecommunication industry where several devices such as mobile phones, iPad, etc. became tools for remote controlling your business processes wherever you were physically present. Many emerging (and still evolving) authentication factor mechanisms like the One Time Password (OTP), two-way authentication with password and OTP, biometric devices and facial recognition software made this possible for being adopted by businesses in their digital transformation journey.
    1. Digital risks: Risks associated with log-in, password policies and authentication mechanisms for providing access to remote applications.
    2. Cyber security risks: BYOD (Bring Your Own Device) policies requires periodic checks on the devices (updates, virus checks, etc.), phishing, hacking, external cyberattacks.
  7. Level 7: With the green environment revolution taking roots, investing in more hardware and software and server “farms” exclusively for one organization became not only costly but also unmanageable and environment unfriendly. The PUBLIC / PRIVATE CLOUD options and the HYBRID option (having some processes within in-house systems and the rest on cloud environment) became attractive. The maintenance of in-house infrastructure was seen as an expendable activity wherever possible and the resultant cost savings benefitted the businesses.
    1. Digital risks: Private cloud – all digital risks mentioned in Level 2, 3, 4
    2. Cyber security risks: Adequacy of security in public cloud and hybrid environments.
  8. Level 8: The “Internet of Things” (IoT) (a system of interrelated, internet-connected objects that are able to collect and transfer data over a wireless network without human intervention), the “Industrial Internet of Things” (IIoT) (using IoT for industrialsectors and applications, including robotics, medical devices, and software-defined production processes), Artificial Intelligence (AI), Machine Learning (ML), Deep Learning (DL), etc. that has redefined the way businesses (and even individuals at home) on how they could interact with devices that used these technologies.
    1. Digital risks: Risk related to extent of data exposed by the devices and the access controls related to the same.
    2. Cyber security risks: Risk of misuse of remote access by the manufacturers of devices, data privacy breaches, hacking of devices.
  9. Level 9: Increased use of social media and open platforms brought about an explosion of BIG DATA that was continually being generated, examined and utilized by business providers and one had to look to Data Scientists to provide the means for analysis using tools for predictive analysis and behaviour, consumer analytics and intelligent push mechanisms using AI and ML, etc.
    1. Digital risks: Risk of improper modelling techniques that gives wrong results, risk of exposure of data and sensitive information.
    2. Cyber security risks: Misuse of Social media footprints, breach of private information, hacking of sensitive data, etc.

 CHECK WHICH LEVEL YOUR ORGANIZATION IS IN AND DELVE DEEP INTO THE VARIOUS DIGITAL AND CYBER SECURITY RISKS FOR EFFECTIVE RISK MITIGATION TECHNIQUES.